[FIX] added fixes for account expired

Author: aricart

nats-base-client/core.ts

@@ -88,6 +88,7 @@ export enum ErrorCode {
   ProtocolError = "NATS_PROTOCOL_ERR",
   PermissionsViolation = "PERMISSIONS_VIOLATION",
   AuthenticationTimeout = "AUTHENTICATION_TIMEOUT",
+  AccountExpired = "ACCOUNT_EXPIRED",
 }
 
 export function isNatsError(err: NatsError | Error): err is NatsError {
@@ -170,7 +171,8 @@ export class NatsError extends Error {
 
   isAuthError(): boolean {
     return this.code === ErrorCode.AuthenticationExpired ||
-      this.code === ErrorCode.AuthorizationViolation;
+      this.code === ErrorCode.AuthorizationViolation ||
+      this.code === ErrorCode.AccountExpired;
   }
 
   isAuthTimeout(): boolean {

nats-base-client/deno.json

@@ -1,6 +1,6 @@
 {
   "name": "@nats-io/nats-core",
-  "version": "3.0.0-14",
+  "version": "3.0.0-15",
   "exports": {
     ".": "./mod.ts",
     "./internal": "./internal_mod.ts"

nats-base-client/protocol.ts

@@ -340,8 +340,7 @@ export class Subscriptions {
         sub = subs.find((s) => {
           return s.subject === ctx.subject && s.queue === ctx.queue;
         });
-      }
-      if (ctx.operation === "publish") {
+      } else if (ctx.operation === "publish") {
         // we have a no mux subscription
         sub = subs.find((s) => {
           return s.requestSubject === ctx.subject;
@@ -693,22 +692,29 @@ export class ProtocolHandler implements Dispatcher<ParserEvent> {
       const err = new NatsError(s, ErrorCode.PermissionsViolation);
       const m = s.match(/(Publish|Subscription) to "(\S+)"/);
       if (m) {
+        const operation = m[1].toLowerCase();
+        const subject = m[2];
+        let queue = undefined;
+
+        if (operation === "subscription") {
+          const qm = s.match(/using queue "(\S+)"/);
+          if (qm) {
+            queue = qm[1];
+          }
+        }
         err.permissionContext = {
-          operation: m[1].toLowerCase(),
-          subject: m[2],
-          queue: undefined,
+          operation,
+          subject,
+          queue,
         };
-
-        const qm = s.match(/using queue "(\S+)"/);
-        if (qm) {
-          err.permissionContext.queue = qm[1];
-        }
       }
       return err;
     } else if (t.indexOf("authorization violation") !== -1) {
       return new NatsError(s, ErrorCode.AuthorizationViolation);
     } else if (t.indexOf("user authentication expired") !== -1) {
       return new NatsError(s, ErrorCode.AuthenticationExpired);
+    } else if (t.indexOf("account authentication expired") != -1) {
+      return new NatsError(s, ErrorCode.AccountExpired);
     } else if (t.indexOf("authentication timeout") !== -1) {
       return new NatsError(s, ErrorCode.AuthenticationTimeout);
     } else {

nats-base-client/tests/auth_test.ts

@@ -22,6 +22,7 @@ import {
   assert,
   assertArrayIncludes,
   assertEquals,
+  assertExists,
   assertRejects,
   assertStringIncludes,
   fail,
@@ -32,7 +33,7 @@ import {
   encodeOperator,
   encodeUser,
 } from "jsr:@nats-io/[email protected]";
-import type {
+import {
   MsgImpl,
   NatsConnection,
   NatsConnectionImpl,
@@ -1259,27 +1260,23 @@ Deno.test("auth - request context", async () => {
   await cleanup(ns, nc, a);
 });
 
-Deno.test("auth - sub permission reload", async () => {
+Deno.test("auth - sub queue permission", async () => {
   const conf = {
     authorization: {
       users: [{
         user: "a",
         password: "a",
-        permissions: { subscribe: ["q A", "h"] },
+        permissions: { subscribe: ["q A"] },
       }],
     },
   };
 
-  const { ns, nc } = await _setup(connect, conf, {
-    user: "a",
-    pass: "a",
-    debug: true,
-  });
+  const { ns, nc } = await _setup(connect, conf, { user: "a", pass: "a" });
 
   const qA = deferred();
   nc.subscribe("q", {
     queue: "A",
-    callback: (err, msg) => {
+    callback: (err, _msg) => {
       if (err) {
         qA.reject(err);
       }
@@ -1289,7 +1286,7 @@ Deno.test("auth - sub permission reload", async () => {
   const qBad = deferred<NatsError>();
   nc.subscribe("q", {
     queue: "bad",
-    callback: (err, msg) => {
+    callback: (err, _msg) => {
       if (err) {
         qBad.resolve(err);
       }
@@ -1306,3 +1303,47 @@ Deno.test("auth - sub permission reload", async () => {
   assertStringIncludes(err.message, 'using queue "bad"');
   await cleanup(ns, nc);
 });
+
+Deno.test("auth - account expired", async () => {
+  const O = nkeys.createOperator();
+  const A = nkeys.createAccount();
+
+  const resolver: Record<string, string> = {};
+  resolver[A.getPublicKey()] = await encodeAccount("A", A, {
+    limits: {
+      conn: -1,
+      subs: -1,
+    },
+  }, { signer: O, exp: Math.round(Date.now() / 1000) + 3 });
+
+  const conf = {
+    operator: await encodeOperator("O", O),
+    resolver: "MEMORY",
+    "resolver_preload": resolver,
+  };
+
+  const U = nkeys.createUser();
+  const ujwt = await encodeUser("U", U, A, { bearer_token: true });
+
+  const { ns, nc } = await _setup(connect, conf, {
+    debug: true,
+    reconnect: false,
+    authenticator: jwtAuthenticator(ujwt),
+  });
+
+  const d = deferred();
+  (async () => {
+    for await (const s of nc.status()) {
+      if (s.type === Events.Error && s.data === ErrorCode.AccountExpired) {
+        d.resolve();
+        break;
+      }
+    }
+  })().catch(() => {});
+
+  const w = await nc.closed();
+  assertExists(w);
+  assertEquals((w as NatsError).code, ErrorCode.AccountExpired);
+
+  await cleanup(ns, nc);
+});

nats-base-client/tests/connect.ts

@@ -1 +1 @@
-export { connect } from "jsr:@nats-io/[email protected]2";
+export { connect } from "jsr:@nats-io/[email protected]4";

nats-base-client/tsconfig.json

@@ -7,9 +7,9 @@
     "sourceMap": true,
     "declaration": true,
     "allowJs": true,
-    "removeComments": false,
+    "removeComments": false
   },
   "include": [
     "cjs/**/*"
   ]
-}
+}